I'm currently learning MySQL by creating an REST API using Express. I've opted for validating data on the server instead of the database. My question is, WHERE on the server should I do that?
Should I validate data (for example minimum and maximum length for the username)...
...using a middleware before the controller file?
...in the controller file, after reciving the request and before sending the data to the models file? (example file below)
...the models file before querying? (example file below)
...some completely other solution I haven't thought of?
./controllers/authController.js
const register = async (req, res) => {
const { username, email, password } = req.body;
**// Validating input data here?**
// TODO hash password
const activationToken = generateActivationToken(48);
const newUser = await User.create(
{ username, email, password, activationToken },
(err, result) => {
console.log(err);
if (err)
return res.status(400).json({
msg: err.message || "Some error has occured. Please try again.",
});
else res.json({ result });
}
);
};
./models/User.js
var db = require("../dbconnection");
// constructor for User object
const User = function (user) {
this.username = user.username;
this.email = user.email;
this.password = user.password;
this.activationToken = user.activationToken;
};
User.create = (newUser, result) => {
**// Validating input data here?**
db.query("INSERT INTO users SET ?", newUser, (err, res) => {
if (err) return result(err, null);
console.log("Created user.");
result(null, { id: res.insertId });
});
};
module.exports = User;
What's the usual/best practice way of doing this? If there isn't a best practice, how do YOU do it? (I validate data on the front-end too of course.) Do you know of any good example projects I could take a look at?
Thank you for your time!
In OOP there's a principle called as:
"The information Expert principle"
According to this principle we should assign responsibilities / methods inside the objects that contain the most information to fulfil the task
(It helps us create cohesive classes).
So, you should probably put the validation logic inside the User model.
Related
I found that there are 2 different ways to write node functions using promise or callback, the first way is like following defining the findByEmail function:
class Users{
static async findByEmail(email: any ) : Promise<Users | undefined>{
const user: any = await Pools.execute(
"SELECT * FROM users WHERE email = ?",
[email])
.then(rows => {
return rows[0];
})
.catch(err => console.log(err) );
return user;
};
}
router.post(
"/api/users/signin",
async (req: Request, res: Response , next: NextFunction) => {
const { email, password } = req.body;
const existingUser = await Users.findByEmail(email);
});
And the second way would be like:
declare global {
namespace Express {
interface Response {
user?: Users;
}
}
}
static async findByEmail(req: Request, res: Response) {
const user = await Pools.execute(
"SELECT * FROM users WHERE email = ?",
[req.body.email])
.then(rows => {
res.user = rows[0];
})
.catch(err => console.log(err) );
};
router.post(
"/api/users/signin",
async (req: Request, res: Response , next: NextFunction) => {
await Users.findByEmail(req, res);
const existingUser = res.user;
});
I am not sure if this is a "opinion based" question or not? However my purpose of asking this is to know which way is a better practice and why? According to performance and other possible issues?
In particular I like to know either it is better to write functions with the return value or using response object to add the returning value to that inside the then() function, like .then(res.user = user) instead of const user = await pool.execute(SELECT ...) ?
Here's a way to impalement that makes the following improvements:
Makes findByEmail() into a utility function that is independent of the req and res objects and thus can be used generally.
Properly propagates all errors from findByEmail() back to the caller.
Implements some validation checks on incoming email field and makes separate error path for that.
Log all errors on the server
Check for all error conditions from the database request
Not mixing .then() and await.
Here's the code:
// resolves to null if email not found
// rejects if there's a database error
static async findByEmail(email) {
const rows = await Pools.execute("SELECT * FROM users WHERE email = ?", [email]);
if (!rows || !rows.length || !rows[0]) {
return null;
}
return rows[0];
};
router.post("/api/users/signin", async (req: Request, res: Response, next: NextFunction) => {
try {
// validate incoming parameters
if (!req.body.email) {
let errMsg = "No email value present in incoming signin request";
console.log(errMsg);
res.status(400).send(errMsg);
return;
}
let user = await Users.findByEmail(req.body.email);
if (!user) {
// do whatever you would do if user tries to signin with non-existent email
// presumably return something like a 404 status
} else {
// do whatever you wanted to do here with the user object after login
}
} catch(e) {
// some sort of server error here, probably a database error, not the client's fault
console.log(e);
res.sendStatus(500);
}
});
I needed a DB for an alexa app, so I set up and and it INSERTS nicely, but when im trying to SELECT and save it to a variable the values saved to the variable are [Object Object] instead of wanted value, I know it can be async problem or parsing problem but i just cant fix the code, some help would be cool,
canHandle(handlerInput) {
return Alexa.getRequestType(handlerInput.requestEnvelope) === 'IntentRequest'
&& Alexa.getIntentName(handlerInput.requestEnvelope) === 'buscaIntent';
},
handle(handlerInput) {
const mysql = require('mysql');
const connection = mysql.createConnection
({
host: 'remotemysql.com',
user: 'RBb34534sd',
password: 'xxxxxxxxx',
database: 'RBsdfewrg'
});
var stat = connection.query('SELECT `spe` FROM `prueba` WHERE `nombre` LIKE "raichu" limit 1', function (err, result, fields) {
if (err) throw err;
console.log(result);
return result[0];
});
connection.end();
return handlerInput.responseBuilder
.speak("Busc " + stat)
.reprompt("reprompt buscar")
.getResponse();
}
}; ```
The issue is that you're not waiting for your database query to complete before sending your response to the Alexa service. Requests in node.js are non-blocking, meaning you either need to nest the request with a callback, or leverage Promises / async-await patterns so that the SQL query is processed before the function is fully executed.
You can read more on converting the built-in library for SQL connections to support Promises here, or use a library like this that already has a wrapper in place.
In either scenario, the end result would be refactored to something like this:
canHandle(handlerInput) {
return Alexa.getRequestType(handlerInput.requestEnvelope) === 'IntentRequest'
&& Alexa.getIntentName(handlerInput.requestEnvelope) === 'buscaIntent';
},
async handle(handlerInput) {
const mysql = require('mysql2/promise');
const connection = await mysql.createConnection
({
host: 'remotemysql.com',
user: 'RBb34534sd',
password: 'xxxxxxxxx',
database: 'RBsdfewrg'
});
var stat = await connection.execute('SELECT `spe` FROM `prueba` WHERE `nombre` LIKE "raichu" limit 1', function (err, result, fields) {
if (err) throw err;
console.log(result);
return result[0];
});
return handlerInput.responseBuilder
.speak("Busc " + stat)
.reprompt("reprompt buscar")
.getResponse();
}
Another article describing async calls for Alexa requests here.
I think the query is returning an object you can't keep the object in speech. Check what's inside the object and if you have a field that you want inside that object then access by stat.YourField.
I am working on a discord.js bot, and I'm storing a bunch of information on various servers in a database. The problem is, that the code doesn't wait for the database to return the results. In the current situation, I'm trying to check if the server specific prefix checks out.
I tried using async and await at various places, but those didn't work. If I could, I'd rather not use .then(), because I don't really want to put all the commands inside a .then().
const { Client, Attachment, RichEmbed } = require('discord.js');
const client = new Client();
const mysql = require("mysql");
const config = require("./config.json")
var con = mysql.createConnection({
host: 'localhost',
user: 'root',
password: '',
database: 'botdb'
})
client.on("ready", () => {
console.log("I'm ready")
})
client.on("message", message => {
if (message.author.bot) return;
if (message.channel.type === 'dm') return;
let msg = message.content.split(" ");
let command = msg[0];
let prefix;
con.query(`SELECT * FROM serversettings WHERE ServerID = ${message.guild.id}`, (err, rows) => {
if (err) throw err;
prefix = rows[0].Prefix;
console.log(prefix)
})
console.log(`Prefix: ${prefix}, Command: ${command}`)
if (command === `${prefix}examplecommand`) {
//Do something
}
//Other code that uses prefix and command
}
It should log the prefix first, and then the Prefix: ${prefix}, Command: ${command} part, but it does it the other way around, so the examplecommand doesn't work.
Your result is caused by the fact that what's outside your query callback is executed immediately after the call. Keep in mind the mysql module is callback-based.
Possible Solutions
Place the code inside the callback so it's executed when the query is completed.
Wrap the query in a promise and await it.
function getGuild(guildID) {
return new Promise((resolve, reject) => {
con.query(`SELECT * FROM serversettings WHERE ServerID = '${guildID}', (err, rows) => {
if (err) return reject(err);
resolve(rows);
});
});
}
const [guild] = await getGuild(message.guild.id) // destructuring 'rows' array
.catch(console.error);
console.log(guild.prefix);
Use a Promise-based version of a MySQL wrapper, like promise-mysql. You could use it the same way as the code above, without worrying about coding your own Promises.
const [guild] = await con.query(`SELECT * FROM serversettings WHERE serverID = '${message.guild.id}'`)
.catch(console.error);
console.log(guild.prefix);
I'm making an app with express + passport and angularJS; I want to be able to send any errors produced from passport (such as username taken or no email provided) by json so my angularJS app can receive these errors in a json response. More specifically right now I want to have a json response to my signup POST method that outputs any errors. I have tried to do this for myself and I've search all over the web and stack overflow I just cannot work this out!
Here is my users route file in express:
var express = require('express');
var router = express.Router();
var isAuthenticated = require('../config/isAuthenticated');
module.exports = function(passport){
router.get('/loggedin', function(req, res){
res.send(req.isAuthenticated() ? req.user : '0');
});
router.post('/signup', passport.authenticate('local-signup', {
successRedirect : '/',
failureRedirect : '/signup',
failureFlash: true
}));
router.post('/login', passport.authenticate('local-login'), function(req, res){
res.send(req.user);
});
router.post('/signout', function(req,res){
req.logout();
res.json({redirect: '/'});
});
router.get('/authtest', isAuthenticated, function(req, res){
res.render('authtest', {user: req.user});
});
return router;
};
This is my passport signup strategy:
passport.use('local-signup', new LocalStrategy({
usernameField : 'username',
passwordField : 'password',
passReqToCallback : true
},
function(req, username, password, done){
process.nextTick(function(){
User.findOne({'local.username' : username}, function(err, user){
if(err) return done(err);
if (user) { //username already exists
return done(null, false, {message: 'Username already exists'});
} else if(!req.body.email) { //no email address provided
return done(null, false, {message: 'You must provide an email address!'});
} else {
var newUser = new User();
newUser.local.username = username;
newUser.generateHash(password, function(err, hash){
if(err) return done(err);
newUser.local.password = hash;
});
newUser.email = req.body.email;
newUser.servers = [];
newUser.save(function(err){
if(err) throw err;
return done(null, newUser);
});
};
});
});
}
));
I know looking at my code right now it looks like I haven't tried to solve this myself at all but this is just my latest working code; I have been stuck at this for the past few days!
Any help would be greatly appreciated :)
According to the current code of passport this is probably achievable by passing custom callback to handle all results of authentiction yourself. This callback is given after options or instead of those.
passport( "local-signup", { ... }, callbackFn );
or
passport( "local-login", callbackFn );
This callback is used in all resulting situations of trying to authenticae. It is thus invoked on processing errors like this:
callbackFn( err )
If (all configured) authentications have failed it is called with
callbackFn( null, false, challenge(s), status(es) )
On successfully having authenticated user the callback is invoked like so:
callbackFn( null, user, infos )
with infos optionally provided by strategies.
Now comes the bottom-side: In either situation passport.authenticate() skips usual processing but instantly invokes provided callback to care for the rest. This includes processing of any options passed in call for passport.authenticate() like flashing messages, preparing session and request for containing authenticated user etc.
Since options given passport.authenticate() are never passed into callback there is actually no obvious reason to use both.
When I was stumbling over the very same problem (linking passport-service with angular-js POST request) I declined to consider use of callback a proper solution. This callback isn't documented. And it doesn't even look quite useful for it isn't passing req, res and next to pass any actual request in callback. Thus it makes very little sense to use it at all and I'd expect it to vanish soon or to change its behaviour quite much.
So the second approach was about trying to figure out why there is a problem in AngularJS. Passport is sending plain text Unauthorized in response with status code 401. AngularJS is trying to parse this as JSON and produces Syntax error. The text Unauthorized results from passprt ending response very simply by invoking
res.statusCode = 401;
res.end(http.STATUS_CODES[res.statusCode]);
Thus a proper workaround might try to replace
either text in http.STATUS_CODES though this is having impact on processing further requests and thus isn't preferrable
or res.end() by an overloaded method acting differently if res.statusCode is 401.
Due to affecting any current request, only, I tried the latter. Replaced res.end() might be used to send any text you want:
router.post('/login',
function(req, res, next) {
var _end = res.end;
res.end = function() {
if (res.statusCode === 401) {
return _end('{"status":"Unauthorized"}');
}
return _end.apply(this, arguments);
};
next();
},
passport.authenticate('local-login'),
function(req, res) {
res.send(req.user);
}
);
Alternatively the replaced method might add previously missing response header information on content type, for this was actually causing issues in AngularJS processing that response as JSON by default.
router.post('/login',
function(req, res, next) {
var _end = res.end;
res.end = function() {
if (res.statusCode === 401) {
res.set("Content-Type", "text/plain");
}
return _end.apply(this, arguments);
};
next();
},
passport.authenticate('local-login'),
function(req, res) {
res.send(req.user);
}
);
Finally, either approach is really just a workaround. I think passport is in the need for revising this annoying limitation.
I'm trying to figure out how to use nodejs + Passport + MySQL. It seems as though just about every tutorial out there is using mongoDB and I don't want to do that. In fact some quick searches of this type will yield web pages like (http://nodejsrocks.blogspot.com/2012/04/nodejs-expressjs-mysql.html) and a youtube video that is a guy (https://www.youtube.com/watch?v=jGBbMVJx3h0) doing nothing but loging in, and who knows what he is really using, but the page has had 3K + views. I'd hope that some of the developers would look at that and say maybe there is a use for something like a comprehensive non MVC type of thing with MySQL. My reason for this is I am trying to get iOS and Android capabilities only and have no need for a large scaffolding overhead. Just the DB and server side scripting handling the queries and returning JSON objects to the phones.
So, that being said, can someone who has had real experience with this please help me out(And the rest of the world trying to do similar things without any in-depth tutorials, because we aren't using mongoDB and full blown scaffolding).
The tables I have set up for a 'TwitterStrategy' are users(id (PK), username, email, salt, password), and twitterusers(id (PK), name, screenname, location, description, url, img, token, tokensecret).
Here is the code I am trying to get going from a single main.js file. I know this is not best practices, and I plan to clean it up later, but for now, I would like to understand what I am missing and get things working. It would be extremely appreciated if someone can help, and I'm SURE others would find this very useful as well. Thanks.
var http = require('http'),
mysql = require('mysql'),
url = require('url'),
crypto = require('crypto'),
express = require('express'),
flash = require('connect-flash'),
passport = require('passport'),
TwitterStrategy = require('passport-twitter').Strategy;
var db = mysql.createConnection({
host : "****",
user : "****",
password : "****",
port : '****',
database : '****'
});
// Connect the connection to DB and throw error if exists
db.connect(function(err) {
if (err) {
console.error('Error connecting to db');
console.error(err);
return;
}
console.log('Database connected');
});
var TWITTER_CONSUMER_KEY = "****";
var TWITTER_CONSUMER_SECRET = "****";
passport.use(new TwitterStrategy({
consumerKey: TWITTER_CONSUMER_KEY,
consumerSecret: TWITTER_CONSUMER_SECRET,
callbackURL: 'http://127.0.0.1:3000/auth/twitter/callback'},
function(accessToken, refreshToken, profile, done) {
//db.query(SELECT ........ FROM ...... WHERE ........, function (err, user){
if (err) {
console.log(err);
}
if (!err && user != null){
done(null, result);
} else {
console.log(result);
}
})
});
}
));
passport.serializeUser(function(user, done) {
console.log('serializeUser: ' + user.id);
done(null, user.id);
});
passport.deserializeUser(function(id, done) {
db.query('SELECT * FROM users WHERE id = ' + id, function(err, result) {
if (err){
console.log(err);
} else {
console.log(result);
}
if (!err) {
done(null, result);
} else {
done(err, null);
}
});
});
var app = express();
app.set(function(){
// app.set('views', __dirname + '/views'); // Definitely for some views which aren't being used here
// app.set('view engine', 'jade'); // Using jade for views, not used
// app.use(express.favicon()); // Not really sure this is important, should be web only
app.use(express.logger('dev')); // Again, not really sure this is important
app.use(express.bodyParser()); // Have no idea what this is used for
app.use(express.methodOverride()); // Same no Fn clue
app.use(express.cookieParser('what the F'));
app.use(express.session());
app.use(passport.initialize());
app.use(passport.session());
app.use(flash());
// app.use(app.router); // Here again we are defining our routes in main, so shouldn't need this.
// app.use(express.static(__dirname + '/public'));
});
var server = http.createServer(function(req, res) {
console.log('url: ' + req.url);
var params = url.parse(req.url, true)
var path = params.pathname;
if (path == '/signup') {
console.log("User signing up");
onSignUp(params, res);
} else if (path == '/signin') {
console.log("User signing in");
onSignIn(params, res);
} else if (path == '/auth/twitter'){
passport.authenticate('twitter'),
function(req, res){
console.log('Twitter User Created or Signed In');
}
}
});
//Keep server alive and listening to requests with DB connected also
server.listen(3000);
Am I missing another auth table? What is it that I need to put in the MySQL statement where the dots are so that I can find the user, and what parameters are being passed from the user request to get the query going, i.e. what is this oauth ID I have seen in tutorials that is getting passed from what seems to be the user to twitter for authorization? Also, what should I be expecting from this callback from Twitter? Anyway, I'll be glad to post all of this somewhere for everyone else to look at once I have a solution made so that all of us using MySQL and node don't get left out and have to search google to find something that seems as though it should be readily available, instead of copies of the same exact nodejs + mongoDB + express tutorial (with many that are out of date except for the scotch io, which looks very good if you wanna use mongo...might I add instances over at Amazon run about $279 estimated per month on the low end) that is floating around and being redistributed by nearly anyone with a "tutorial" out there. Thanks again.
Try wrapping strategy function under process.nextTick, e.g.,
passport.use(new TwitterStrategy({
consumerKey: TWITTER_CONSUMER_KEY,
consumerSecret: TWITTER_CONSUMER_SECRET,
callbackURL: 'http://127.0.0.1:3000/auth/twitter/callback'},
function(accessToken, refreshToken, profile, done) {
process.nextTick(function(){
// this is where you put logic to check the profile sent from twitter already in your DB or not,
// its totally up to you whether you keep a separate auth table for it or not
// NB: there will be some unique value in profile that can be used for next references
db.query(SELECT ........ FROM ...... WHERE ........, function (err, user){
if (err) {
console.log(err);
}
if (!err && user != null){
done(null, result);
} else {
console.log(result);
}
})
});
});
}
));
you also have to have a route for accepting the callback, e.g.,
app.get('/auth/twitter/callback', function(req, res, next) {
passport.authenticate('twitter',
{ },
function(err, user) {
// the result you send from the strategy function will be here
// do anything you like with the user send
}
)(req, res, next);
});
Hope it makes things clearer.